PDA

View Full Version : aspack site down ? Need latest asprotect with latest revirgin dev


tsehp
June 25th, 2001, 08:34
hi,
just wanted to test the latest rv with latest asprotect, but the site is down, and I can swear it's not my fault ;-) who has the latest asprotect download ?

the revirgin's tracer is now working fine on win9x and me, and the beta will soon be available, the new tracer can resolve vbox 4.5 encrypted iat 15 times faster than before, the tracer option allows you to trace a prog like icedump, set put some limits to freeze and later dump the app, I'm almost finished.

I also have to make a decision :
asprotect and latest vbox4.5 begins to wrap some api like this :
iat entry 1
code 1
code 2
real api call
code 3
ret

and a check inside the main exe verifies if tha api was called, splaj did a quick fix by directly putting the api address into iat entry 1, so all the code around is useless, but we can imagine that they could improve this.

solution 1 : put into rv an option to redirect the iat to a rva offset into your dump that will contain the same code, but this could be long to build if later they make 100 iat's like this.

solution 2: transform the interesting code into a fake dll, so revirgin could point the iat's to those api call wrappers, harder to do but much more harder to defeat.

solution3: discussion is open and suggestions are welcome...


regards,

tsehp

+SplAj
June 25th, 2001, 09:43
Tsehp

pssst, maybe Alexey retired ;-)

.........just in case tho' the dll is the way to go for me. You provide a blank 'template' dll and if code is found as before , build it, fill it with the code from aspr , link the IAT/IT to it and bobs yer uncle.

wow, can't wait for that tracer }>

CYA soon , still waiting for my best trousers to come back from the cleaners

Kilby
June 25th, 2001, 10:23
I downloaded a version just over a week ago.

But it's probably out of date already.

Regards,

Kilby...

tsehp
June 27th, 2001, 19:05
Quote:
+SplAj (06-25-2001 07:43):
Tsehp

pssst, maybe Alexey retired ;-)

.........just in case tho' the dll is the way to go for me. You provide a blank 'template' dll and if code is found as before , build it, fill it with the code from aspr , link the IAT/IT to it and bobs yer uncle.

wow, can't wait for that tracer }>

CYA soon , still waiting for my best trousers to come back from the cleaners


false alarm, it was a temp shut off for the site, maybe some rush of malcontent clients claiming for a refund ;-)

dll seems to be the best option, but it have to be loaded dynamically, so we're still oblidged to paste some loading code inside the target...

the tracer is working on every program that I submit to it now, I just have to
build a small disass into the tracer's window and we're on, then I'll adapt it to win2k. I'll uploat the beta before sunday,regards.

Eternal Bliss
June 28th, 2001, 06:41
Quote:
+Tsehp (06-27-2001 17:07):
Quote:
+SplAj (06-25-2001 07:43):
Tsehp

pssst, maybe Alexey retired ;-)

.........just in case tho' the dll is the way to go for me. You provide a blank 'template' dll and if code is found as before , build it, fill it with the code from aspr , link the IAT/IT to it and bobs yer uncle.

wow, can't wait for that tracer }>

CYA soon , still waiting for my best trousers to come back from the cleaners


false alarm, it was a temp shut off for the site, maybe some rush of malcontent clients claiming for a refund ;-)

dll seems to be the best option, but it have to be loaded dynamically, so we're still oblidged to paste some loading code inside the target...

the tracer is working on every program that I submit to it now, I just have to
build a small disass into the tracer's window and we're on, then I'll adapt it to win2k. I'll uploat the beta before sunday,regards.



tsehp,
I finally had some time to try out ReVirgin and also compared it with MackT's Import Reconstructor... 8P
One thing I notice is that with ReVirgin resolving import seldom work for me. I am not sure why. 8P But I am able to unpack aspack itself (downloaded 2 days ago) with the imports nicely built.
Sometimes, I make use of both the programs to build the import table because occasionally, ReVirgin is able to find the imports but not MackT and vis versa. 8P
And I use MackT's to enter the RVA of the import table and size in ReVirgin too. 8P


Regards
EB

SpeKKeL
June 29th, 2001, 12:25
Hajo,

Can't wait for your new RV.
Keeps getting better and better,
Last version tried on PEcompact1.50
(i know it isn't asp.) and worked 100%!

Greetz SpeKKeL....

tsehp
June 29th, 2001, 19:49
I just studied mackT new tool, the presentation is different than mine, more compact but I still prefer my old good iat table, even if it takes more place, I go quicker with it.
It lacks a real tracer, but a little more better done concerning the disass trace section, it just looks at the iat entry and report the first api call encountered, but this could lead to failures if alexey calls severals around.

After a while, I came to the idea to add a new function :
show listing when an Iat doesn not lead to the main api, I could maybe let the user set some limits and paste this code at the dumped end, then entering into the iat the code's rva... what do you think ?

Eternal Bliss
June 30th, 2001, 07:43
Quote:
+Tsehp (06-29-2001 17:49):
I just studied mackT new tool, the presentation is different than mine, more compact but I still prefer my old good iat table, even if it takes more place, I go quicker with it.
It lacks a real tracer, but a little more better done concerning the disass trace section, it just looks at the iat entry and report the first api call encountered, but this could lead to failures if alexey calls severals around.

After a while, I came to the idea to add a new function :
show listing when an Iat doesn not lead to the main api, I could maybe let the user set some limits and paste this code at the dumped end, then entering into the iat the code's rva... what do you think ?


Are you refering to something like cs:call dword ptr [IAT_Entry] where IAT_Entry is the VA of some codes that is in a totally different address space and not 00400000? I have seen something like that in azpr.exe (unpacked last night). It is used to call DialogBoxIndirectParamA and also uses FindResource, LoadResourceA, LockResource. I had to copy and write that section of the code in a empty part of the file and patch the call.

If that is what you are refering to, I think it is a great idea. 8) Save a lot of trouble and time. 8P
Also, is it possible to have the option to rearrange all the IAT according to the dlls? 8P

Regards
EB

madmax
June 30th, 2001, 08:56
Im not sure how necessary it is to save that whole routine with the load/lock/freeresource apis with dialogbox api as well...If i recall, in elcomsoft.com products the load/lockresource apis are replaced by null reroutes, which assumes they are not important apis! But you can easily spot these when rebuilding the IAT and fix em, then replace the entry leading to the routine you copied with a simple dialogbox API...I think the advanced pdf program was like this...My two cents =P

madmax

tsehp
June 30th, 2001, 19:39
eternal bliss : exactly, code is located inside asprotect and make some eventual tests to jump above the api call, especially if some parameters are null...

madmax: you're also right, at this point all this mess leads to a unique api, and it's normal because otherwise he would have extract the original code into another place, it's just some mess put arount the api call to confuse the live tracer.

But if we simply invert the process by importing this code and paste it at the dumped target's end, we don't have to trace those routines no more and the process is simplified. Maybe I'll wait a little more to see how things evoluate on this subject, adding such a functionnality while it's not very imperative is maybe not worth the case at the moment.

Eternal Bliss
July 1st, 2001, 07:22
Hiya,
this is going to sounds quite lame but I have a question about ReVirgin... 8P

There is IAT Resolver which I know what it is for.
There is Resolve Again button which I am supposed to click on after IAT Resolver for the redirected APIs. This all goes well.
But after that what is to be done?

Right-clicking on an empty entry gives me the choice of Enable Trace and Trace. What is the difference between them?
I tried Trace and usually it crashes and I have to go into Sice to revert a conditional jump to bring tracer.dll out of a loop. 8P
I tried Enable Trace and the entry is changed to to_resolve. So, naturally, I would click on Resolve Again but then, the entry becomes empty like before. 8P

Then there is the Tracer button which brings up this window with 4 edit boxes. Do I fill them in or what do I do with them? 8P When I try launching an app, it gives me a non-english error message that starts with "Impossible" so I thought it might be because the packed app is already running (so that ReVirgin can resolve the entries in the first place). I am totally lost. 8P

Ok. Enough of my lameness. 8P
I have attached a tut on unpacking azpr with this message. heh

EB

tsehp
July 2nd, 2001, 04:32
yes I admit my interface is sometime a little hard to understand, when you have clicked resolve again, it only fixes the redirected api calls and eventually addresses that you've manually put inside the iat entry.

When you click enable trace, it puts the iat entry into a rv internal state, here they are :
1-resolved
2-not resolved
3-redirected (to resolve)
4-traced (to resolve)

to resolve means that an address is found and you have to click resolve again.

The tracer button is the next future feature of revirgin : trace an app to dump it when it lands to the oep.

Now you've found the failure : you had to patch a jmp to avoid my tracer to go to an infinite loop, so I think that I could do this task :
when the tracer is blocked on this case, I could also add an option to disass the iat entry, select the line entry to trace, this line should contain a call [xxxxxxxx] so when doesn't care anymore about the tests around.

splaj : finally the dll template is a bad idea, just because they can put later some check code to see in the real protection is present, the above one seems simpler, maybe coupled with a an option to import the selected code into the dumped target.

NotMe
July 2nd, 2001, 16:54
Quote:
Eternal Bliss (06-28-2001 04:41):
tsehp,
I finally had some time to try out ReVirgin and also compared it with MackT's Import Reconstructor... 8P
......
..ReVirgin is able to find the imports but not MackT and vis versa. 8P
And I use MackT's to enter the RVA of the import table and size in ReVirgin too. 8P

Regards
EB


Are you sure you can do it successfully like this way?
My answer is NO !!! Coz they handle the "Size" in different ways.

If you got "IAT Start RVA" and "IAT Length" in Revirgin, and wanna put it to MackT's ,
you need plus 4 to the IAT Length .Or you may get an uncompleted Import Table in MackT's.

Actually, I prefer RV ^_^ .

tsehp
July 2nd, 2001, 17:39
a pre beta is available, with a new tracer, that is also used to trace an entire app.
notme, write me if you want to test.

about RV, the interface is far to be perfect from my point, I used to work a lot on the internal code and a lot of friends helped me to debug it, but I'm still open for suggestions to improve the ergonomy.

regards,

tsehp


MODIFICATION : 3/7/2001 I have enough pre beta testers ! stop writing me, I'll do soon an announce here for the real beta. Please be patient.

Eternal Bliss
July 3rd, 2001, 04:46
Quote:
NotMe (07-02-2001 14:54):
Are you sure you can do it successfully like this way?
My answer is NO !!! Coz they handle the "Size" in different ways.

If you got "IAT Start RVA" and "IAT Length" in Revirgin, and wanna put it to MackT's ,
you need plus 4 to the IAT Length .Or you may get an uncompleted Import Table in MackT's.

Actually, I prefer RV ^_^ .


Well, I am sure I know what I am doing although I might not be saying what I thought I wanted to say. 8)
Regards
EB

tsehp
July 3rd, 2001, 17:44
btw, saw that mackt's lacks the trap flag tracer and mine is a reusable dll,
I don't know how to contact him, so if he reads this or someone can report him :
I'm ready to send him the documentation of my dll, so he could add it to his rebuilder.

Eternal Bliss
July 4th, 2001, 05:37
Quote:
+Tsehp (07-03-2001 15:44):
btw, saw that mackt's lacks the trap flag tracer and mine is a reusable dll,
I don't know how to contact him, so if he reads this or someone can report him :
I'm ready to send him the documentation of my dll, so he could add it to his rebuilder.


Hiya,
I talked to him before and he said the the tracer is there. Just need to patch the messagebox. 8P
I will bring the copy I have next time and attached it. He dcc'd to me in irc. Hope he wouldn't mind me doing it. 8P

Regards
EB

Eternal Bliss
July 5th, 2001, 05:37
I have attached the copy of ImportREC with the 3rd tracer enabled.
Regards
EB

vile_evil_live_splaj
July 5th, 2001, 07:04
As a nice challenge please discompress the following elcomsoft target :-

http://www.mailutilities.com/downloads/

get the Advanced Email Extractor PRO 2.2

and have some phun, I did for 1.5 days :-)

I struggled with that USER32! call at 0x430344 - DialogboxIndirectParamA ??? called to create the 'New' (40A862)
and ''New Search' (406235) menu selections. hehehe

There are a few more tricks to patch as well - LOL 'crypt API missing' blah blah

Oh and a nice email back to elcomsoft re the crash "we are very-very sorry" blah blah. Nice one guys.

BTW I hope you sort out Adobe, I got that ebooks 2.2 ripper thingy yesterday but was busy with this AEE Pro first }>

+SplAj

Kilby
July 5th, 2001, 08:57
Hey Splaj,

I have been having enough trouble with netnak, flexy and ehr ebook thiing.

I don't need another one of those buggers

Kilby...

evil_vile_live_splaj
July 5th, 2001, 09:31
--------------------------------------------------------------------------------
ehr ebook thiing
--------------------------------------------------------------------------------


Kilby

r u learing a scandinavian language ? if so can you help me with my Miele spindrier, I can't follow the control/dial cos it's in Norwegian. The wife leaves for vacation next week and I am on my own for 6 weeks :-) so need to wash & dry my clothes at least twice in that period .

I'll write down the exact words and you can help me translate. I need a cycle that you put in your wet clothes and they come out dry and crease free :-)

haagen daas

+SplAj }>

Oh BTW did you unpack Elcomsoft AEE pro 2.2 yet ? it's a bastard.

NchantA
July 5th, 2001, 09:54
hey splaj+ and kilby

ebook thing looks wiked, im unpacking as fast as i can hehe

'API Not Found, please contact techincal support'

is that a trick? or my bad iat rebuilding. i did have trouble with the dialogbox crap, but i think i got it sorted out.

i got no invalid/suspect with imprec, which is my savior. ill have another look tonite of course. plz email/post me if u can splaji

NchantA

Kilby
July 5th, 2001, 10:14
I wish I was learning a scandinavian language, but it's this bloody mose key I'm forced to use on this machine.

Papertape for a monitor and a morse key for input ain't the way to go.

I have been using a Toshiba Libretto and a JP Jordana too much lately. Now I can't get used to the spacing on this keyboard in work

Real life is in the way of unpacking at the moment, but I'm watching what's going on with asprotect.

It's like the Z80 days watching the various versions of the DJL Speedlock evolving.

Kilby...

Now doctor Frankenstein about those fingers you supplied me with !

Kilby
July 5th, 2001, 10:22
Hey Splaj,

I forgot

If you want a bit of fun look at advanced directory printer.

Loadresource and Lockresource are completely missing

What's more where the usual do nothing IT entrys didn't exist.

That confused me for ages, especially as the end of the IT was right against some code so I couldn't add a couple of entrys to the end of the table.

Kilby...

NchantA
July 6th, 2001, 00:32
hey Kilby, splaj+ all...

ive unpacked the ebook asshole. just gonna finish it off the thing runs fine (finally)

kilby, im not sure why mine worked and yours didnt. ttu soon

NchantA

NchantA
July 6th, 2001, 02:12
killed it! one nopped jge blah and it its full...

ima tutor it for all the ppl that wanna know how i unpacked + cracked it. coming soon

NchantA

Kilby
July 6th, 2001, 03:46
I was probably paying attention to other things

DOH !

NchantA
July 6th, 2001, 07:08
dont stress mate and thanks for the tip on the dialogbox api

nC

madmax
July 7th, 2001, 00:44
Well, this email extraction program was similar to the adobe password proggy...Specifically, it also had the dialogbox reroute and I think the ASPR check (push 00,ff,call getprocaddress)..thus it didnt take 1.5 days =P

since there's no "jump" table, I had to be creative and fix the two NULL APIs in KERNEL32 on startup to point towards a RET 0004...Im not sure if virgin sections were required, but instinctively I manually dump the sections right after decompression to avoid those pesky ASPR mod's...Did you need to do this??

madmax!

Kilby
July 7th, 2001, 11:24
Ermm, Gentlemen (and ladies if there any),

this is a DOH moment,

It appears that not only am I unable to type, but also read my own notes

I added the WRONG api call (4 bloody times)

As far as I can assertain, aspr has not changed for ages, except for the API check.

I'm off to integity check the rest of my brain

Kilby...

NchantA
July 8th, 2001, 03:22
poor poor Kilby

friend u need some time off aspr for a while i think eeh, it challenges the rest of us that are even partly sane *g*

madmax: if you are reffering too the 'push ebp | mov ebp, esp| ect..' sections then you can *very* easily change those pointers (using ImpREC ;D) to FreeResource and LoadResource respectively. if u use ImpREC (im not sure about RV) you can even put in the right calls simply by looking at the surrounding imports for example:

kernel32!LoadRecord {example only ;P}
rva:101201 ptr: 293u2u3283 < bad api
kernel32!LockBLah

the last two aspr products i cracked i have done so by simply looking at the surrounding API's and slotting the correct ones in fuck alexy heheheheeh

and yes the push ff, getprocaddress must be patched. its one jne

nC [PGC] [EVC]

evil_vile_live_splaj
July 8th, 2001, 04:31
Hi madmax, the redirected user32!DialogBoxParamA (NOT Indirect as in the code was my newbie experience :-)

My tip for ASPr is set a BPX GetVersion and F12 then see those nice mem locked GETxxxxxxxxx API's you will need to fill in the few blank API' that RV cannot trace :-

0187:00E3C7D8 6A00 PUSH 00
0187:00E3C7DA E82D7CFFFF CALL KERNEL32!GetModuleHandleA
0187:00E3C7DF A3D435E400 MOV [00E435D4],EAX
0187:00E3C7E4 E83B7CFFFF CALL KERNEL32!GetVersion
0187:00E3C7E9 A3D835E400 MOV [00E435D8],EAX
0187:00E3C7EE 68E435E400 PUSH 00E435E4
0187:00E3C7F3 E8347CFFFF CALL KERNEL32!GetVersionExA
0187:00E3C7F8 E8DF7BFFFF CALL KERNEL32!GetCurrentProcess
0187:00E3C7FD A3DC35E400 MOV [00E435DC],EAX
0187:00E3C802 E8DD7BFFFF CALL KERNEL32!GetCurrentProcessId
0187:00E3C807 A3E035E400 MOV [00E435E0],EAX
0187:00E3C80C E8C37BFFFF CALL KERNEL32!GetCommandLineA
0187:00E3C811 A37836E400 MOV [00E43678],EAX

And there is usually the push FFFFFFFF on the 1st GetProcAddress that is nothing more than "mov eax,1" to bypass the api crypto message. I usually make the call 4xxxxx to this point (1 byte patch) Also as madmax pointed out there is no jmp table to conveniently patch the RET004 so I redirect the OEiP and patch it on the fly, replacing dummy API with some code
then jmp OEiP.

I spent the w/e *doing* all the 'Advanced' mail utils from Elcomsoft and also the updated SmartWhois 3.2 from our friends at Tamo :-)

phew I need a break........but I am still working on cracking that crypto for the 'Save' set a BPM 4A5380 R and see the 32k x 16 'real' reg codes. See the comparison at
0187:00419F3B 8BD0 MOV EDX,EAX
0187:00419F3D 8B74241C MOV ESI,[ESP+1C]
0187:00419F41 B904000000 MOV ECX,00000004
0187:00419F46 8BFA MOV EDI,EDX
0187:00419F48 33C0 XOR EAX,EAX
0187:00419F4A F3A7 REPZ CMPSD

and you have the anser but not a real serial....YET !

+SplAj }>

stinky_tsehp
July 11th, 2001, 15:31
Quote:
Eternal Bliss (07-05-2001 03:37):
I have attached the copy of ImportREC with the 3rd tracer enabled.
Regards
EB


tried on the notepad asprotected included with mine, the "trap flag" tracer doesn't work on entries rva 63f0-63f8...

so my offer is still there : I offer my tracer.dll with doc to interface with importrec,
ant this new tracer (not seh based but pure ring0 code) will soon work also on win nt/2k/xp...

regards,

+Tsehp